Yesterday the U.S. Department of Homeland Security (DHS) confirmed that they had suffered a data breach, potentially exposing the personal information of more than 247,000 current and former employees. The breach occurred in 2014 but was first discovered in May of last year, and allegedly includes employee names, dates of birth, and Social Security numbers.
Investigative information, such as witnesses, and details on private individuals obtained by the DHS between 2002 and 2014 were also potentially compromised in the breach. The amount of private civilian information exposed “varies for each individual depending on the documentation and evidence collected for a given case,” the DHS stated. Families of DHS employees do not appear to be at risk.
According to the DHS Office of the Inspector General (OIG), the breach did not occur due to a hack or other external malicious activity. Instead, the data was discovered in the possession of a former employee of the OIG during an ongoing criminal investigation. DHS officials would not disclose how the breach occurred, the former employee’s identity, or the nature of their investigation.
“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” said the agency ion their website.
This late confirmation of a potentially staggering data breach is not the first of its kind; Uber last year admitted to covering up a data breach that had occurred in 2016 by paying off the hackers. While the delay in this case stemmed not from concern for the bottom line but for investigative integrity, it does speak to a recurring issue with modern leaks: insidiousness. Many breaches escape notice for years due to flaws in detection methods or access management policies. If our approach to these leaks does not change, the next such breach will be far more damaging.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021